If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

if that doesn't work then find your WINS server (assuming you have WINS enabled) and do the lookup manually that way.

Either way you will find the IP address of the offending workstation. Then go visit them and find out what is going on. That box /could/ have been compromised from outside and is a hopping point to the rest of your network.

Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

You could also look at the arp table, the IP information stays around(a short period) even after the connections have dropped. Try "arp -a" it will give you a list of IP's that have connected, your "attacker" may be one of them.

There are two rules for success in life:
Rule 1: Don't tell people everything you know.

The error messages are account lockout responses. I am surprised that the user hasn't complained.

I don't know your naming conventions but do you have a G. Alkenson working there?

I would be inclined to pull the box and scan it in safe mode for malware......................sounds like some sort of bot or backdoor to me? I would definitely take it offline until I had resolved the issue.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

we don't have wins enabled, however I located an IP in one of the logs when he tried to hit a local computer account. IP is 82.52.2.153.

I did a winfo 82.52.2.153 -n and got some info, such as user accounts logged in Lucios and other accounts on the machine(Admin, Marcios) as well as what OS - Win2000. However my computer than decided to blue screen and when I returned the null share hole in his computer was fixed, but luckily not before I pulled all the ip addresses that it was connected to

they all had the 82.52 but the last 2 octets changed

2.16
123.53
150.238
127.138
40.159
134.187
156.137
72.124
185.150

I'm in the process of NMAPing and using Nessus to figure out some more info. So far I'm trying to contact the Service provider of that IP range. I believe its isolated to either Italy or Amsterdam.

The error messages are account lockout responses. I am surprised that the user hasn't complained.

I don't know your naming conventions but do you have a G. Alkenson working there?

I would be inclined to pull the box and scan it in safe mode for malware......................sounds like some sort of bot or backdoor to me? I would definitely take it offline until I had resolved the issue.

yeah he's probably about to have all the users in the AD give him a call because their accounts are locked out. He said it looks to be progressively scanning all user accounts in the AD... so I'm betting someone installed something like Retina on that box and misconfigured it, or there is malware on that box doing something bad, or perhaps the box has been compromised and is being used to scan the network looking for weak passwords (and once again someone misconfigured the utility to do it).

These are just guesses though. I would find the IP address first, then yank it from the network to isolate it. Then sit at the desk and see who calls up complaining

actaully I would go visit the box in question after yanking it, but you never know if it is an authorized scan from a different group.

Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

hrm, just saw your response. So you are saying these scans are originating from outside of your network to your internal network?

What kind of firewall are you guys running? Just drop connections from that IP address and be done with it. But then you are going to have to scan your entire network to make sure they didn't get in to anything in there.

Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

We used to get this all the time. We ended up using IPSec to block all but the necessary ports to prevent the AD lockout issue. Essentially, that is what this attack is, to lock out your AD accounts. The result is that accounts get locked out and then in about 30 minutes or whatever your settings are, they come back. Problem is, admin and service accounts get nailed, too.

You can block this on the perimeter, to an extent, but the IPSec solution is the best and most effective.